Search

Subscribe

Adi Shamir's Cube Attacks

At this moment, Adi Shamir is giving an invited talk at the Crypto 2008 conference about a new type of cryptanalytic attack called "cube attacks." He claims very broad applicability to stream and block ciphers.

My personal joke -- at least I hope it's a joke -- is that he's going to break every NIST hash submission without ever seeing any of them. (Note: The attack, at least at this point, doesn't apply to hash functions.)

More later.

EDITED TO ADD (8/19): AES is immune to this attack -- the degree of the algebraic polynomial is too high -- and all the block ciphers we use have a higher degree. But, in general, anything that can be described with a low-degree polynomial equation is vulnerable: that's pretty much every LFSR scheme.

EDITED TO ADD (8/19): The typo that amused you all below has been fixed. And this attack doesn't apply to any block cipher -- DES, AES, Blowfish, Twofish, anything else -- in common use; their degree is much too high. It doesn't apply to hash functions at all, at least not yet -- but again, the degree of all the common ones is much too high. I will post a link to the paper when it becomes available; I assume Adi will post it soon. (The paper was rejected from Asiacrypt, demonstrating yet again that the conference review process is broken.)

EDITED TO ADD (8/19): Adi's coauthor is Itai Dinur. Their plan is to submit the paper to Eurocrypt 2009. They will publish it as soon as they can, depending on the Eurocrypt rules about prepublication.

On your personal joke: After hearing Adi's talk and sharing opinions with him and others, my intuition is that only very specially structured submissions to the NIST Hash submission (maybe none) will/would have been broken by this technique. But it is a interesting technique nevertheless.

"After hearing Adi's talk and sharing opinions with him and others, my intuition is that only very specially structured submissions to the NIST Hash submission (maybe none) will/would have been broken by this technique. But it is a interesting technique nevertheless."

Agreed. Unless someone implements a LFSR-based hash function -- even a complex one -- it's not going to fall to this technique. I'm certainly not worrying with my design.

You both say you went to the presentation, and have made assuring comments about some current systems.

Bruce you note that Adi (for whatever reasons) has not yet posted the paper up anywhere.

Is there any reason you cannot give us a bit more information on what the attack methodology and principles are?

After all you make comments such as "No, not even a little bit." About Blowfish etc and Adi "thinks that AES is immune to this attack -- the degree of the algebraic polynomial is too high". But say LFSRs are vulnerable.

I'm guessing that as LFSRs and AES can be defined as a closed algebraic formula, over a finite field. And Adi used this in his XL / FXL attacks on AES that this is an improvment or variation on them.

As AES used mainly linear building blocks as do LFSRs are other forms of cipher based shift registers but not using linear feedback vulnerable?

Also how about a little blue sky thinking the design of FEAL gave rise to differential attacks becoming effective and thinking about this gave rise to new linear attacks.

For those who are at Crypto, does anyone care to give us even a hint as to how these new attacks work? Or did Shamir give very little away in his talk? Is the paper not in the proceedings? What about an abstract?

@akly: The paper is not in the proceedings. The title of the talk was "How to Solve it: New Techniques in Algebraic Cryptanalysis" according to the conference program.

Shamir has done work on algebraic attacks before (cf. the Kipnis-Shamir attack on HFE, XL), I expect that the "cube" attack relates to improved linearisation techniques for non-linear boolean equations. Precise details of the breakthrough will clearly have to wait. (The Eurocrypt deadline alluded to by Bruce is in 2-3 weeks.)

I'm no crypto guru, but I have read Schneier's Applied Cryptography and have read various papers describing cryptographic primitives. We don't know, at this point, whether this is a theoretical attack or a practical attack.

What this attack appears to affect is Radio Gatun, a nice, fairly new construction that can either be a hash or stream cipher, taking a key of any length. Radio Gatun is nice because its core can fit in under 2k of memory and it's an elegant, extensible construction.

However, scanning the paper describing Radio Gatun, I note the quote "It has algebraic degree 2" on page 10. So it looks like a nice, small elegant cryptographic primitive might now be fallen.

How can you say that "The paper was rejected from Asiacrypt, demonstrating yet again that the conference review process is broken" ??

Have you read the paper submitted ? How can we say this paper had to be accepted without knowing what was exactly inside ?

A good invited talk doesn't necessarily imply that the paper was well written (though I reckon it's hard to find a badly written paper from Shamir).

It's true that the reviewing process is far from perfect, and there are many papers every year which are unfairly rejected. The difference here is that only a few are cryptographic gods enough to tell everyone that their paper has been rejected from a conference.

I have read B.Shneiers "Applied Cryptography" and clear LFSR could be broken after 2n LFSR ouput bits using Berlekamp-Massey algorithm, where n is primitive polynomial degree. This is parctical attack. May be Shamir Cube attack are only theoretical, not practical actually?

When Bruce writes "pretty much every LFSR scheme", he doesn't just mean stream ciphers consisting ONLY of an LFSR (which as Ivars Suba says are well known to be weak). He means stream ciphers built from LFSRs - e.g. one or more LFSRs with many register bits combined using a nonlinear function to yield a keystream bit.

BUT the assertion does need qualifying. It is only REGULARLY CLOCKED LFSR-based stream ciphers that are likely to be vulnerable. Where there is irregular, data-dependent clocking of the LFSRs then it will typically be much harder to build a representation of low algebraic degree, and it is much less likely that the cube attack will apply.

Adi Shamir just gave a talk at TU Graz (at 11am today) where he described how to break arbitrary / unknown block ciphers using Cube Attacks and 1 bit (!) of side-channel information (e.g. from round 2 of AES-128 or round 3 of SERPENT), using known-plaintext attacks. IIRC the complexity he mentioned was 2^53 for AES-128, less for SERPENT. (Unknown ciphers require an attacker able to manipulate the key as well, and have higher complexity.) I don't know whether these results are published somewhere already; should have asked.